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What is claimed is: 

1 \ 1 . A system for dynamically detecting computer viruses through 

2 associative behavioral analysis of runtime state, comprising: 

3 \a parameter set stored on a client system defining a group of monitored 

4 events which each comprise a set of one or more actions defined within an object, 

5 each actionizing performed by one or more applications executing within a 

6 defined computing environment; 

7 a monitV executing on the client system, comprising: 

8 a collector continuously monitoring the runtime state within the 

9 defined computing environment for an occurrence of any one of the monitored 

10 events in the group ana, tracking the sequence of the execution of the monitored 

1 1 events for each of the applications; and 

12 an analyzer\dentifying each occurrence of a specific event 

13 sequence characteristic of computer virus behavior and the application which 

14 performed the specific event sequence, creating a histogram describing the 

15 specific event sequence occurrence for each of the applications, and identifying 

16 repetitions of the histogram associated with at least one object. 

1 2. A system according to Claim 1, further comprising: 

2 a storage manager organizing the histograms into plurality of records 

3 ordered by object, application, and monitored event. 

1 3. A system according to Claim 2,\iirther comprising: 

2 a structured database in which the plurality of records is stored; and 

3 the storage manager storing each histogramVor each such specific event 

4 sequence occurrence in one such database record identified by the application by 

5 which the specific event sequence was performed. \ 

1 4. A system according to Claim 3, further comprising: 

2 the storage manager configuring the structured databases an event log 

3 organized by each event in the group of monitored events and updating the 
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4 database record storing each specific event sequence occurrence with a revised 

5 histogram as each such occurrence is identified. 

1 5.\ A system according to Claim 1, further comprising: 

2 the analyzer detecting suspect activities within each histogram, each 

3 suspect activiry comprising a set of known actions comprising a computer virus 

4 signature. \ 

1 6. A sykem according to Claim 6, wherein each such suspect activity 

2 is selected from the class of actions comprising file accesses, program executions, 

3 message transmissions, configuration area accesses, security setting accesses, and 

4 impersonations. \ 

1 7. A system according to Claim 6, wherein each such suspect activity 

2 is selected from the group comprising files accesses, program executions, direct 

3 disk accesses, media formatting operations, sending of electronic mail, system 

4 configuration area accesses, changes to security settings, impersonations, and 

5 system calls having the ability to monitor system input/output activities. 

1 8. A system according to CMm 1, wherein the computer virus 

2 comprises at least one form of unauthorized content selected from the group 

3 comprising a computer virus application, a Trojan horse application, and a hoax 

4 application. \ 

1 9. A method for dynamically detecting computer viruses through 

2 associative behavioral analysis of runtime state, comprising: 

3 defining a group of monitored events which each comprise a set of one or 

4 more actions defined within an object, each action being performed by one or 

5 more applications executing within a defined computingWvironment; 

6 continuously monitoring the runtime state within the defined computing 

7 environment for an occurrence of any one of the monitored events in the group; 



0132.01. apl 



- 13- 



8 \ tracking the sequence of the execution of the monitored events for each of 

9 the applications; 

10 identifying each occurrence of a specific event sequence characteristic of 

1 1 computer\irus behavior and the application which performed the specific event 

12 sequence; \ 

1 3 creating^ histogram describing the specific event sequence occurrence for 

14 each of the applications; and 

1 5 identifying repetitions of the histogram associated with at least one object. 

1 10. A method according to Claim 9, further comprising: 

2 organizing the histograms into plurality of records ordered by object, 

3 application, and monitoredWent. 

1 1 1 . A method according to Claim 1 0, further comprising: 

2 maintaining a structured\database in which the plurality of records is 

3 stored; and \ 

4 storing each histogram for each such specific event sequence occurrence 

5 in one such database record identified\by the application by which the specific 

6 event sequence was performed. \ 

1 12. A method according to Clami 1 1, further comprising: 

2 configuring the structured database as an event log organized by each 

3 event in the group of monitored events; and \ 

4 updating the database record storing eacti specific event sequence 

5 occurrence with a revised histogram as each such\>ccurrence is identified. 

1 1 3. A method according to Claim 9, furtnfer comprising: 

2 detecting suspect activities within each histogram, each suspect activity 

3 comprising a set of known actions comprising a computervirus signature. 

1 14. A method according to Claim 13, wherein each such suspect 

2 activity is selected from the class of actions comprising file Accesses, program 
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3 ^executions, message transmissions, configuration area accesses, security setting 

4 accesses, and impersonations. 

1 \ 1 5. A method according to Claim 13, wherein each such suspect 

2 activity \s selected from the group comprising files accesses, program executions, 

3 direct disK accesses, media formatting operations, sending of electronic mail, 

4 system configuration area accesses, changes to security settings, impersonations, 

5 and system calls having the ability to monitor system input/output activities. 

1 16. ^method according to Claim 9, wherein the computer virus 

2 comprises at least erne form of unauthorized content selected from the group 

3 comprising a computer virus application, a Trojan horse application, and a hoax 

4 application. \ 

1 1 7. A computer-readable storage medium holding code for 

2 dynamically detecting computer viruses through associative behavioral analysis of 

3 runtime state, comprising: \ 

4 defining a group of monitored events which each comprise a set of one or 

5 more actions defined within an abject, each action being performed by one or 

6 more applications executing within a defined computing environment; 

7 continuously monitoring the Witime state within the defined computing 

8 environment for an occurrence of any We of the monitored events in the group; 

9 tracking the sequence of the execution of the monitored events for each of 

10 the applications; \ 

1 1 identifying each occurrence of a specific event sequence characteristic of 

12 computer virus behavior and the application which performed the specific event 

13 sequence; \ 

14 creating a histogram describing the specific event sequence occurrence for 

15 each of the applications; and \ 

16 identifying repetitions of the histogram associated with at least one object. 
1 1 8. A storage medium according to Claim 1 A further comprising: 
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2 ^organizing the histograms into plurality of records ordered by object, 

3 application and monitored event. 

1 19. A.storage medium according to Claim 1 8, further comprising: 

2 maintaining^ structured database in which the plurality of records is 

3 stored; and \ 

4 storing each histog^rn for each such specific event sequence occurrence 

5 in one such database record identified by the application by which the specific 

6 event sequence was performed. \ 

1 20. A storage medium acceding to Claim 19, further comprising: 

2 configuring the structured databases an event log organized by each 

3 event in the group of monitored events; and \ 

4 updating the database record storing each specific event sequence 

5 occurrence with a revised histogram as each such occurrence is identified. 

1 2 1 . A storage medium according to Claim 1N7, further comprising: 

2 detecting suspect activities within each histogramWch suspect activity 

3 comprising a set of known actions comprising a computer vmis signature. 
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